AnalyticRuleValidationTesting

Solutions/testing/SpyCloudEnterpriseProtectionMalwareRule.yaml

@@ -0,0 +1,68 @@
+id: 7ba50f9e-2f94-462b-a54b-8642b8c041f5
+name: SpyCloud Enterprise Malware Detection
+description: |
+  'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
+severity: High
+requiredDataConnectors: []
+status: Available
+queryFrequency: 12h
+queryPeriod: 12h
+triggerOperator: gt
+triggerThreshold: 0
+suppressionDuration: 5h
+tactics: 
+  - CredentialAccess
+relevantTechniques:
+  - T1555
+query: |
+  SpyCloudBreachDataWatchlist_CL
+  | where Severity_s == '25'
+  | project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 12h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride: null
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: Infected_Machine_Id_g
+      - identifier: DnsDomain
+        columnName: User_Hostname_s
+  - entityType: Account		
+    fieldMappings:
+      - identifier: FullName
+        columnName: Email_s
+      - identifier: Name
+        columnName: Username_s
+  - entityType: DNS		
+    fieldMappings:
+      - identifier: DomainName
+        columnName: Target_Domain_s
+  - entityType: DNS		
+    fieldMappings:      
+      - identifier: DomainName
+        columnName: Target_SubDomain_s
+  - entityType: IP		
+    fieldMappings:
+      - identifier: Address
+        columnName: IP_Address_s
+customDetails:
+  Document_Id: Document_Id_g
+  Password: Password_s
+  Password_Plaintext: Password_Plaintext_s
+  Infected_Path: Infected_Path_s
+  Infected_Time: Infected_Time_t
+  Domain: Domain_s
+  Source_Id: Source_Id_s
+  PublishDate: SpyCloud_Publish_Date_t
+  User_Host_Name: User_Hostname_s
+sentinelEntitiesMappings: null
+version: 1.0.0
+kind: Scheduled